This has been an absolute long time coming from me, I think! The reason for this is during the crazy times we currently live in here in 2020, this is probably something I should have worked on much earlier to give folks a bit of a leg up on some reading material. Coming full circle, I feel this is something that really needs to be updated within our field. One of the few places where a collective list for either beginners, or others, to look is current over on the r/computerforensics subreddit on Reddit. If you look at that list, it was curated by many within the field back in 2013-2014 if I am recalling correctly. Just how long ago was that? MacOS had not been released yet. Or Windows 10. Or basically the entire shift to Cloud for many employers and would-be techies. That in turn poses a significant problem. One of the most popular channels of current students and the younger user-bases is being fed outdated material. Now, no, not ALL of it is outdated, per se. And some will say that knowing the fundamentals and how we got here helps build understanding. However, to those I would say, do you feel it is a requirement that those who are getting started into the field should know how to analyze a floppy disk? Or how to use practices that we have now largely dismissed as being invalid or just flat out inefficient?
What about SSD’s and that wonderful absolute that was always used in court “changes could not be made, it was behind a write-blocking tool.” I would say we all would say no to that, right? In this day and age, who has the time to learn something that you would never use?
Without further ado, I present what I believe are the Top 10 Must Have’s for books that would be beneficial to your DFIR career:
10. File System Forensic Analysis
Author: Brian Carrier
Date Published: 2005
As you’ll see down below, there are some older books on this list. However, this is the oldest at 2005, but it still holds an extremely relevant marker within the industry. This is because in order to provide expert analysis on something, you need to know how it inherently is functioning at the file system level. Brian does a phenomenal job of providing the reader with an easy-to-follow guide through the most popular file systems that an examiner would see. You leave this book knowing how NTFS, FAT, and others, actually work. Down to the smallest (albeit vital) details of bits and bytes. From my personal learning endeavors through Academia, vendor taught classes and other Information Security training, nothing gets this down in to the weeds of the file system structure. If there was any book on here that should appease the Old School examiners/investigators, it should be this one.
9. The Art of Memory Forensics
Authors: Michael Hale Ligh, Andrew Case, Jamie Levy and Aaron Walters
Date Published: 2014
Easily one of the books that sparked my own personal interest in Memory Forensics! Not only are the authors also the creators of Volatility, but they effectively wrote arguably the best book that has ever been written specifically on memory analysis, and other volatile memory stages. This book covers everything, albeit the mobile stuff is all but outdated at this point. You can still do MacOS, Linux and Windows analysis. While the Operating Systems have changed in the last 6 years since its 1st Edition was published, the tools have largely remained the same to keep up. What this book offers is the inherent understanding of what is happening under the hood of a device’s volatile memory along with how to interpret your results properly when you do get your outputs. Again, several classes out there that can teach you this, but this is the book to get if you’re trying to expand what you did learn in a class OR before you take an expensive course to ensure you’re understanding what is going on. This book does a fantastic job of keeping it easy to read. The reader is not needing to go into this with an expanded knowledge of programming languages or System Internals. It’ll help! But it isn’t needed.
8. Open Source Intelligence Techniques
Author: Michael Bazzell
Date Published: 2019
The newest book on the list! While some would argue that OSINT is not part of DFIR, I would challenge that mentality. The reasoning is through what is becoming more prevalent within the industry: Threat Hunting/Intelligence. What good is it to get Indicators of Compromise (IOCs) if you’re not going to look to see who the actor is? Is your employer being attacked by a Nation State, or someone who watched a video online? These things matter. While the book may not be written with DFIR as the intended reader, it certainly provides key concepts and provides tools and resources that can be used within the industry to further investigations. Not to mention it will also help you become much more secure in your own dealings online, or other family members.
7. OS X Incident Response Techniques
Author: Jaron Bradley
Date Published: 2016
As you can tell, we are getting into some of the real niche books in the middle part of the list! This is intentional to a degree. While there are so many books out there on foundational core knowledge concepts, it is like studying for the CISSP: you are learning a vast amount of topics, but only scratching the surface of what they are and how to implement. OS X Incident Response is one of those books that you start reading and realize just how wrong all those Apple ads were about malware. This book walks you through several different Incident Response issues and artifacts and methods that can be leveraged to prove things like Data Exfiltration, Persistence and C2 Beaconing. While this is designed around OS X, many of the concepts can still apply to what you see in APFS. Hopefully soon we will see an updated version of the book!
6. Handbook of Digital Forensics and Investigations
Author: Eoghan Casey
Date Published: 2009
The first time I had to pick this book up, it was for a graduate course teaching more advanced topics outside of traditional dead-box forensics. Personally, this book is fascinating in many different ways. First, it is extremely well thought out and its ease of readability is fairly on point with beginners/novice getting into the field. It is a book where the reader is exposed to several different of the “niche” fields within DFIR. Network Forensics, Incident Response, Dead-Box Forensics, Onsite Triage, etc. I have not found a better book that has been peer reviewed and can still stand up to the scrutinizing seen in Forensic Sciences. Again, much more on the side of beginner/novice; however, if you anticipate becoming a mentor at any time — it is a great book to be able to reference to.
5. Investigating Windows Systems
Author: Harlan Carvey
Date Published: 2018
Speaking of getting updated material, Harlan does what he always does best: keeps the industry fresh with material. Even at 2 years old, this book has much of what you see in Eoghan’s book, but much newer. Harlan, also brings his own approach to working investigations within Windows. But now why I enjoyed it so much: the humbleness of knowing that none of us cannot know everything, but that based on his own methodology and case studies, the reader will be able to learn from what he has done and expand upon it with their own methodology. This book is NOT a book like his others where he dives into artifact analysis. Instead it is that approach I’ve been bantering about within this paragraph. To me, this is something that is really needed in the field. The “Investigator’s Mindset.” Many examiners may not have an investigative background. So, how do you know what was going on in the mind of an attacker during their campaign? How do you know what/if they’ve touched specific artifacts? This is something we all need to learn, and I do think Harlan does an outstanding job providing that “mentor” approach to his readers.
4. Practical Malware Analysis
Authors: Michael Sikorski & Andrew Honig
Date Published: 2012
Considered by many in the RE realm to be a one the first books to read, I had to include it on the list…and quite a bit of the ways up it as well. You would think if you didn’t have assembly language knowledge that this would go completely over your head. It doesn’t. Michael and Andrew did a fantastic job keeping the readability and jargon to a level that many intermediate folks would be able to follow along. The examples within the book are streamlined and concise. Additionally, there is great deal of elaboration within the book on these examples that are truly helpful for those who are not even into the whole Malware RE field. To better understand your attacker, you must know why they would do certain things. There is no better book that helps with that than Practical Malware Analysis.
3. Blue/Red Team Field Manuals
Authors: Alan White & Ben Clark
Date Published: 2017
I actually stumbled upon these “field manuals” completely by accident. A friend of mine had them both and swore by them, so I picked them up without hesitation. To say they have been game changers is a complete understatement. Designed for those who are onsite and need to move quickly, they are a great resource of commands and outputs that an investigator/examiner/analyst should understand. The issue with so much within the field is simply that you cannot retain it all. It is too much. So where do you go when you need something quickly? These manuals are the absolute ticket to that question. The Red Team Field Manual, especially. Don’t know what the command is that you’re seeing on screen? Look it up in the manual. See something getting ran you suspect is evil? Look it up in the manual. Don’t have access to the Internet in order to Google-Fu? You’ve got your manuals!
2. SQLite Forensics
Author: Paul Sanderson
Date Published: 2018
Paul has been well known to our industry for quite some time. When people have questions about how to pull data out of obscure SQLite Tables, Paul has always been able to help. Much to the push from so many of us in the industry, Paul finally wrote the book (literally and figuratively) on SQLite Forensics. This book is an absolute MUST HAVE in any examiner’s arsenal. Why? When is the last time you parsed a cell phone and didn’t come across a SQLite database? Now tell me again how many of the vendors out there parse everything and perfectly. Go ahead, I’ll wait! Oh that is right! You won’t see it for everything. And you shouldn’t. There is just too many things out there, and you are going to regionally see some applications be used over others. Not to mention, just how fast mobile devices are moving…vendors are struggling to keep up. This is one of those books that was written to help YOU, as the examiner, figure out how to do it on your own so your reliance is not just on your vendor tools….or someone else you hope comes along and solves the problem for you.
If you find yourself looking at SQLite, or just databases in general — this is easily one of the best resources out there.
1. Intelligence Driven Incident Response
Authors: Scott Roberts & Rebekah Brown
Date Published: 2017
Why I love this book so much. Where to start. First, it has since replaced SANS FOR508’s Incident Response book that was getting outdated. So that means many of our industry leaders felt it was the best book for those attending that course. Second, if your examinations are not funneling any type of intelligence out of them….you are doing it wrong. It doesn’t matter if you are working law enforcement cases, HR-related, eDiscovery or Incident Response, you are seeing things daily that could be traits to a specific actor, or collusion of employees against their employer, or a criminal conspiracy, they all can matter. Rebekah and Scott walk you through how to build out an intelligence program, no matter what industry you are in. What the Cyber Kill Chain means and how to apply it within your industry properly. And most importantly, how to tangibly disseminate out information to not only internal BUT external as well. The one thing that has grown increasingly needed is for our field, regardless of industry, to talk to one another and help build out these programs. What one person sees today, someone will all but assuredly see it tomorrow.